RESOLVED FIXED 170924
ASSERTION FAILED: inIndex != notFound in JSC::invalidParameterInSourceAppender() 
https://bugs.webkit.org/show_bug.cgi?id=170924
Summary ASSERTION FAILED: inIndex != notFound in JSC::invalidParameterInSourceAppender()
Daniel Bates
Reported 2017-04-17 16:06:26 PDT
1. Create a page xss.php with the following markup that can be served from an HTTP server: <script>var q="<?php echo $_GET['q']; ?>"</script> 2. Access the page at <http://127.0.0.1/xss.php?q=%22i\u006E+alert(1)//>, modifying the URL as needed to access xss.php. Then the WebProcess will crash because the assertion RELEASE_ASSERT(inIndex != notFound) fails in JSC::invalidParameterInSourceAppender(). I am using a local build of Mac WebKit at r215419.
Attachments
Test case (44 bytes, text/html)
2017-04-19 16:15 PDT, Daniel Bates 		no flags
Details
patch (7.43 KB, patch)
2017-04-25 19:19 PDT, Saam Barati 		no flags
DetailsFormatted DiffDiff
patch (7.44 KB, patch)
2017-04-25 19:20 PDT, Saam Barati 		mark.lam: review+
buildbot: commit-queue-
DetailsFormatted DiffDiff
Archive of layout-test-results from ews101 for mac-elcapitan (964.97 KB, application/zip)
2017-04-25 20:10 PDT, Build Bot 		no flags
Details
Archive of layout-test-results from ews106 for mac-elcapitan-wk2 (1.04 MB, application/zip)
2017-04-25 20:19 PDT, Build Bot 		no flags
Details
Archive of layout-test-results from ews123 for ios-simulator-wk2 (15.44 MB, application/zip)
2017-04-25 21:00 PDT, Build Bot 		no flags
Details
Archive of layout-test-results from ews112 for mac-elcapitan (1.60 MB, application/zip)
2017-04-25 21:55 PDT, Build Bot 		no flags
Details
patch for landing (15.07 KB, patch)
2017-04-26 14:56 PDT, Saam Barati 		buildbot: commit-queue-
DetailsFormatted DiffDiff
patch for landing (15.96 KB, patch)
2017-04-26 16:07 PDT, Saam Barati 		no flags
DetailsFormatted DiffDiff
Show Obsolete (7) View All Add attachment proposed patch, testcase, etc.
Daniel Bates
Comment 1 2017-04-17 16:34:28 PDT
ASSERTION FAILED: inIndex != notFound /Volumes/Data/WebKitDevGit/OpenSource/Source/JavaScriptCore/runtime/ExceptionHelpers.cpp(208) : WTF::String JSC::invalidParameterInSourceAppender(const WTF::String &, const WTF::String &, JSC::RuntimeType, ErrorInstance::SourceTextWhereErrorOccurred) 1 0x109b6a00d WTFCrash 2 0x1091ef117 JSC::invalidParameterInSourceAppender(WTF::String const&, WTF::String const&, JSC::RuntimeType, JSC::ErrorInstance::SourceTextWhereErrorOccurred) 3 0x1091e6f65 JSC::appendSourceToError(JSC::ExecState*, JSC::ErrorInstance*, unsigned int) 4 0x1091e6c9e JSC::ErrorInstance::finishCreation(JSC::ExecState*, JSC::VM&, WTF::String const&, bool) 5 0x1091e1efa JSC::ErrorInstance::create(JSC::ExecState*, JSC::VM&, JSC::Structure*, WTF::String const&, WTF::String (*)(WTF::String const&, WTF::String const&, JSC::RuntimeType, JSC::ErrorInstance::SourceTextWhereErrorOccurred), JSC::RuntimeType, bool) 6 0x1091e242a JSC::createTypeError(JSC::ExecState*, WTF::String const&, WTF::String (*)(WTF::String const&, WTF::String const&, JSC::RuntimeType, JSC::ErrorInstance::SourceTextWhereErrorOccurred), JSC::RuntimeType) 7 0x1091eed6b JSC::createError(JSC::ExecState*, JSC::JSValue, WTF::String const&, WTF::String (*)(WTF::String const&, WTF::String const&, JSC::RuntimeType, JSC::ErrorInstance::SourceTextWhereErrorOccurred)) 8 0x1091eefce JSC::createInvalidInParameterError(JSC::ExecState*, JSC::JSValue) 9 0x108ccb710 JSC::CommonSlowPaths::opIn(JSC::ExecState*, JSC::JSValue, JSC::JSValue, JSC::ArrayProfile*) 10 0x108ccb549 slow_path_in 11 0x1096ced82 llint_entry 12 0x1096c86fe vmEntryToJavaScript 13 0x10949e89e JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) 14 0x10945009f JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::ExecState*, JSC::JSObject*) 15 0x108cdb028 JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) 16 0x108cdb1f0 JSC::profiledEvaluate(JSC::ExecState*, JSC::ProfilingReason, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) 17 0x110243e1b WebCore::JSMainThreadExecState::profiledEvaluate(JSC::ExecState*, JSC::ProfilingReason, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) 18 0x110243c08 WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld&, WebCore::ExceptionDetails*) 19 0x110243efd WebCore::ScriptController::evaluate(WebCore::ScriptSourceCode const&, WebCore::ExceptionDetails*) 20 0x110259b42 WebCore::ScriptElement::executeClassicScript(WebCore::ScriptSourceCode const&) 21 0x110257f8f WebCore::ScriptElement::prepareScript(WTF::TextPosition const&, WebCore::ScriptElement::LegacyTypeSupport) 22 0x10e9dba60 WebCore::HTMLScriptRunner::runScript(WebCore::ScriptElement&, WTF::TextPosition const&) 23 0x10e9db8cf WebCore::HTMLScriptRunner::execute(WTF::Ref<WebCore::ScriptElement>&&, WTF::TextPosition const&) 24 0x10e902b72 WebCore::HTMLDocumentParser::runScriptsForPausedTreeBuilder() 25 0x10e9030d3 WebCore::HTMLDocumentParser::pumpTokenizerLoop(WebCore::HTMLDocumentParser::SynchronousMode, bool, WebCore::PumpSession&) 26 0x10e901e18 WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) 27 0x10e90196b WebCore::HTMLDocumentParser::pumpTokenizerIfPossible(WebCore::HTMLDocumentParser::SynchronousMode) 28 0x10e9043da WebCore::HTMLDocumentParser::append(WTF::RefPtr<WTF::StringImpl>&&) 29 0x10e2dec22 WebCore::DecodedDataDocumentParser::appendBytes(WebCore::DocumentWriter&, char const*, unsigned long) 30 0x10e424b79 WebCore::DocumentWriter::addData(char const*, unsigned long) 31 0x10e3d866f WebCore::DocumentLoader::commitData(char const*, unsigned long)
Daniel Bates
Comment 2 2017-04-19 16:15:55 PDT
Created attachment 307519 [details] Test case For convenience, attached test case that represents the rendered output of the web page shown by following the reproduction steps.
Radar WebKit Bug Importer
Comment 3 2017-04-19 16:53:04 PDT
<rdar://problem/31721052>
Saam Barati
Comment 4 2017-04-19 17:15:49 PDT
This is a silly bug. And should be an easy fix. The code I wrote searches for the string "in", however, we parse various Unicode characters as "n". So the test program is parsed as an "in" expression, but we don't find the string "in" (obviously, because the source does not have the character "n" in it)
Saam Barati
Comment 5 2017-04-25 19:19:41 PDT
Created attachment 308190 [details] patch
Saam Barati
Comment 6 2017-04-25 19:20:47 PDT
Created attachment 308191 [details] patch
Build Bot
Comment 7 2017-04-25 19:59:02 PDT
Comment on attachment 308191 [details] patch Attachment 308191 [details] did not pass jsc-ews (mac): Output: http://webkit-queues.webkit.org/results/3606661 New failing tests: stress/destructuring-assignment-accepts-iterables.js.ftl-eager-no-cjit-b3o1 jsc-layout-tests.yaml/js/script-tests/let-syntax.js.layout-ftl-no-cjit stress/destructuring-assignment-accepts-iterables.js.ftl-no-cjit-no-inline-validate jsc-layout-tests.yaml/js/script-tests/let-syntax.js.layout stress/destructuring-assignment-accepts-iterables.js.ftl-no-cjit-no-put-stack-validate stress/destructuring-assignment-accepts-iterables.js.no-cjit-collect-continuously stress/destructuring-assignment-accepts-iterables.js.no-ftl stress/destructuring-assignment-accepts-iterables.js.no-llint stress/destructuring-assignment-accepts-iterables.js.ftl-no-cjit-small-pool jsc-layout-tests.yaml/js/script-tests/let-syntax.js.layout-no-llint stress/destructuring-assignment-accepts-iterables.js.dfg-eager jsc-layout-tests.yaml/js/script-tests/let-syntax.js.layout-ftl-eager-no-cjit stress/destructuring-assignment-accepts-iterables.js.dfg-maximal-flush-validate-no-cjit jsc-layout-tests.yaml/js/script-tests/let-syntax.js.layout-no-ftl jsc-layout-tests.yaml/js/script-tests/let-syntax.js.layout-dfg-eager-no-cjit stress/destructuring-assignment-accepts-iterables.js.default stress/destructuring-assignment-accepts-iterables.js.ftl-eager-no-cjit stress/destructuring-assignment-accepts-iterables.js.ftl-eager stress/destructuring-assignment-accepts-iterables.js.ftl-no-cjit-b3o1 jsc-layout-tests.yaml/js/script-tests/let-syntax.js.layout-no-cjit stress/destructuring-assignment-accepts-iterables.js.dfg-eager-no-cjit-validate stress/destructuring-assignment-accepts-iterables.js.ftl-no-cjit-validate-sampling-profiler stress/destructuring-assignment-accepts-iterables.js.no-cjit-validate-phases
Mark Lam
Comment 8 2017-04-25 20:00:13 PDT
Comment on attachment 308191 [details] patch LGTM. Please fix EWS issues.
Build Bot
Comment 9 2017-04-25 20:10:37 PDT
Comment on attachment 308191 [details] patch Attachment 308191 [details] did not pass mac-ews (mac): Output: http://webkit-queues.webkit.org/results/3606743 New failing tests: imported/w3c/web-platform-tests/css-timing-1/step-timing-functions-output.html js/let-syntax.html imported/w3c/web-platform-tests/css-timing-1/frames-timing-functions-output.html imported/w3c/web-platform-tests/css-timing-1/cubic-bezier-timing-functions-output.html
Build Bot
Comment 10 2017-04-25 20:10:38 PDT
Created attachment 308195 [details] Archive of layout-test-results from ews101 for mac-elcapitan The attached test failures were seen while running run-webkit-tests on the mac-ews. Bot: ews101 Port: mac-elcapitan Platform: Mac OS X 10.11.6
Build Bot
Comment 11 2017-04-25 20:19:36 PDT
Comment on attachment 308191 [details] patch Attachment 308191 [details] did not pass mac-wk2-ews (mac-wk2): Output: http://webkit-queues.webkit.org/results/3606771 New failing tests: imported/w3c/web-platform-tests/css-timing-1/step-timing-functions-output.html js/let-syntax.html imported/w3c/web-platform-tests/css-timing-1/frames-timing-functions-output.html imported/w3c/web-platform-tests/css-timing-1/cubic-bezier-timing-functions-output.html
Build Bot
Comment 12 2017-04-25 20:19:38 PDT
Created attachment 308197 [details] Archive of layout-test-results from ews106 for mac-elcapitan-wk2 The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews. Bot: ews106 Port: mac-elcapitan-wk2 Platform: Mac OS X 10.11.6
Build Bot
Comment 13 2017-04-25 21:00:32 PDT
Comment on attachment 308191 [details] patch Attachment 308191 [details] did not pass ios-sim-ews (ios-simulator-wk2): Output: http://webkit-queues.webkit.org/results/3606854 New failing tests: imported/w3c/web-platform-tests/css-timing-1/step-timing-functions-output.html js/let-syntax.html imported/w3c/web-platform-tests/css-timing-1/frames-timing-functions-output.html imported/w3c/web-platform-tests/css-timing-1/cubic-bezier-timing-functions-output.html
Build Bot
Comment 14 2017-04-25 21:00:34 PDT
Created attachment 308206 [details] Archive of layout-test-results from ews123 for ios-simulator-wk2 The attached test failures were seen while running run-webkit-tests on the ios-sim-ews. Bot: ews123 Port: ios-simulator-wk2 Platform: Mac OS X 10.11.6
Build Bot
Comment 15 2017-04-25 21:55:32 PDT
Comment on attachment 308191 [details] patch Attachment 308191 [details] did not pass mac-debug-ews (mac): Output: http://webkit-queues.webkit.org/results/3607284 New failing tests: imported/w3c/web-platform-tests/css-timing-1/step-timing-functions-output.html js/let-syntax.html imported/w3c/web-platform-tests/css-timing-1/frames-timing-functions-output.html imported/w3c/web-platform-tests/css-timing-1/cubic-bezier-timing-functions-output.html
Build Bot
Comment 16 2017-04-25 21:55:33 PDT
Created attachment 308212 [details] Archive of layout-test-results from ews112 for mac-elcapitan The attached test failures were seen while running run-webkit-tests on the mac-debug-ews. Bot: ews112 Port: mac-elcapitan Platform: Mac OS X 10.11.6
Saam Barati
Comment 17 2017-04-26 12:41:52 PDT
Will rebaseline the failing tests.
Saam Barati
Comment 18 2017-04-26 14:56:47 PDT
Created attachment 308289 [details] patch for landing
Build Bot
Comment 19 2017-04-26 15:34:26 PDT
Comment on attachment 308289 [details] patch for landing Attachment 308289 [details] did not pass jsc-ews (mac): Output: http://webkit-queues.webkit.org/results/3613184 New failing tests: stress/destructuring-assignment-accepts-iterables.js.ftl-no-cjit-no-put-stack-validate stress/destructuring-assignment-accepts-iterables.js.dfg-eager stress/destructuring-assignment-accepts-iterables.js.ftl-eager stress/destructuring-assignment-accepts-iterables.js.ftl-no-cjit-b3o1 stress/destructuring-assignment-accepts-iterables.js.ftl-eager-no-cjit-b3o1 stress/destructuring-assignment-accepts-iterables.js.no-cjit-collect-continuously stress/destructuring-assignment-accepts-iterables.js.dfg-maximal-flush-validate-no-cjit stress/destructuring-assignment-accepts-iterables.js.ftl-no-cjit-no-inline-validate stress/destructuring-assignment-accepts-iterables.js.dfg-eager-no-cjit-validate stress/destructuring-assignment-accepts-iterables.js.ftl-eager-no-cjit stress/destructuring-assignment-accepts-iterables.js.no-ftl stress/destructuring-assignment-accepts-iterables.js.ftl-no-cjit-validate-sampling-profiler stress/destructuring-assignment-accepts-iterables.js.no-cjit-validate-phases stress/destructuring-assignment-accepts-iterables.js.ftl-no-cjit-small-pool stress/destructuring-assignment-accepts-iterables.js.default stress/destructuring-assignment-accepts-iterables.js.no-llint
Saam Barati
Comment 20 2017-04-26 16:07:09 PDT
Created attachment 308300 [details] patch for landing edited some more error messages
WebKit Commit Bot
Comment 21 2017-04-26 19:28:42 PDT
Comment on attachment 308300 [details] patch for landing Clearing flags on attachment: 308300 Committed r215852: <http://trac.webkit.org/changeset/215852>
WebKit Commit Bot
Comment 22 2017-04-26 19:28:45 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.